General

  • Target

    Swift. pasha bank. 10152021.exe

  • Size

    751KB

  • Sample

    211015-t2pzlabbe2

  • MD5

    2bd73a6b3cf01146aa8f73729311a11a

  • SHA1

    dd5695151b4e269f42cdc0ecf50a27fc144af025

  • SHA256

    c60a64f8910005f98f6cd8c5787e4fe8c6580751a43bdbbd6a14af1ef6999b8f

  • SHA512

    e04b457287aabce6022167d1fa1e7ea3e33d5bc549d749ff12745748505768747a360e2296c28ccad7b1102a7670467ac49ebe0476378ce672d4fd2cc5cf1b8b

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pvxz

C2

http://www.finetipster.com/pvxz/

Decoy

imt-token.club

abravewayocen.online

shcloudcar.com

mshoppingworld.online

ncgf08.xyz

stuinfo.xyz

wesavetheplanetofficial.com

tourbox.xyz

believeinyourselftraining.com

jsboyat.com

aaeconomy.info

9etmorea.info

purosepeti7.com

goticketly.com

pinkmemorypt.com

mylifewellnesscentre.com

iridina.online

petrestore.online

neema.xyz

novelfooditalia.com

Targets

    • Target

      Swift. pasha bank. 10152021.exe

    • Size

      751KB

    • MD5

      2bd73a6b3cf01146aa8f73729311a11a

    • SHA1

      dd5695151b4e269f42cdc0ecf50a27fc144af025

    • SHA256

      c60a64f8910005f98f6cd8c5787e4fe8c6580751a43bdbbd6a14af1ef6999b8f

    • SHA512

      e04b457287aabce6022167d1fa1e7ea3e33d5bc549d749ff12745748505768747a360e2296c28ccad7b1102a7670467ac49ebe0476378ce672d4fd2cc5cf1b8b

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader Payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Tasks